SB2026052125 - Input validation error in go-attestation

Security Bulletin ID SB2026052125

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to compromise the integrity of the trusted measurement database.

The vulnerability exists due to improper input validation in parseEfiSignatureList() in attest/internal/events.go when parsing a crafted TPM event log containing an EFI_SIGNATURE_LIST with vendor header bytes. A remote attacker can supply a specially crafted TPM event log to compromise the integrity of the trusted measurement database.

For hashSHA256SigGUID lists, vendor header bytes are interpreted as signature entries, which can cause arbitrary SHA256 hashes to be added to the verifier's trusted hash list.

Remediation

Install update from vendor's website.

References

https://github.com/google/go-attestation/security/advisories/GHSA-9r4w-jg96-92mv